CVE-2026-22418
Published: 05 March 2026
Summary
CVE-2026-22418 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22418 is an Improper Control of Filename for Include/Require Statement vulnerability, classified as a PHP Remote File Inclusion issue that enables PHP Local File Inclusion, affecting the Great Lotus WordPress theme developed by AncoraThemes. The vulnerability impacts all versions of the great-lotus theme from n/a through 1.3.1. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-98. The issue was published on 2026-03-05.
Remote, unauthenticated attackers can exploit this vulnerability over the network with high attack complexity and no user interaction required. Successful exploitation allows inclusion of local files, leading to high impacts on confidentiality, integrity, and availability, such as unauthorized access to sensitive data or potential disruption of the affected WordPress site.
Mitigation details are available in advisories like the Patchstack database entry at https://patchstack.com/database/Wordpress/Theme/great-lotus/vulnerability/wordpress-great-lotus-theme-1-3-1-local-file-inclusion-vulnerability?_s_id=cve.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9547
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Great Lotus great-lotus allows PHP Local File Inclusion.This issue affects Great Lotus: from n/a through <= 1.3.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated remote file inclusion (LFI/RFI) flaw in a public-facing WordPress theme, directly enabling exploitation of a public-facing web application to read sensitive files or achieve RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of filenames used in PHP include/require statements, directly preventing improper file inclusion as exploited in this CVE.
SI-2 mandates identification and remediation of flaws like the vulnerable code in the Great Lotus theme, eliminating the root cause of this LFI vulnerability.
CM-6 enforces secure configuration settings such as PHP open_basedir restrictions, limiting the scope of local file access even if input validation fails.